Sguil Client

Contents

Connecting to the Server

Once the server (sguild) is running and the client (sguil.tk) can
connect, you can manage events on a near realtime basis. Events
populate the panes based on their priority (this is configurable).
Multiple clients can connect to a server at a time. This client/server
configuration also allows analyst to connect remotely more easily.
For example, if an analyst has remote ssh access to the server network,
he/she can tunnel the client/server communication over ssh:

$ ssh mysystem.server.net -L 7734:sguildsystem:7734

Now fire up sguil.tk and point it toward localhost.

Managing Events

Once an event has been reviewed, its status can be updated and the
event deleted from the client. To expire an event and set its status
to 1, select the event to expire->right click in status (ST) column
->Select Expire from the menu. Events validated as malicious can
also be placed into one of seven incident categories (see
File->Display Incident Categories for a description) by selecting
Update Event Status->Category from the menu. When an event is expired
or placed into Incident Category, it is removed from all connected
clients. Hot keys can also be used:

<F1>-<F7>: Place the event into Category I - VII
<F8>: Expire the event.

Querying the DB

Searches can be initiated using different "templates". For a blank
template, use Query->Event Query. Once selected, a query builder
allowing you to edit the query will pop up. Only the WHERE statement
can be edited. Other templates are available by selecting an event
and right clicking on the src/dst ip columns. NOTE: JOINs are now
handled internally. The WHERE will be scanned and the appropriate
FROM table1 JOIN table2 ON table1.foo=table2.foo will be prepended
to your query.

A blank template for session queries can be found under Query->Session Query
and a completely blank query builder can be found under Query->Query Builder.

If you wish to save a query for future use use Query->Standard Queries.
In the Standard Query dialog, select File->Add Query to add a new user query.
User queries are saved locally and therefore are only available on the
machine used to create them. To create a standard query for global use,
edit the sguild.queries file on your sguild server. In order to have sguild
reload the sguild.queries file and update the clients, send a -HUP signal
to the sguild process.

Correlated Events

Events that have the same src IP and signature/message are correlated
under the same event in the appropriate RT pane. Each time an event
is "correlated" the CNT field is incremented by one. To view all
the correlated events, select the event->right click on the CNT
column->View Correlated Events. The shortcut for this info is to
middle click on the CNT column of a selected event.

Generating Transcripts, loading data into Wireshark:
Make sure Wireshark is installed on the client system. Select an alert,
right click on the sid.cid column. Select Transcript or Wireshark.
Middle clicking on the sid.cid column of a highlighted event will
also request a transcript.

Creating Reports

Plain Text or Email reports can be created by selecting the events
to report and choosing Report-><Report Type>. Summary reports contain
the full packet headers, detail reports add the payloads. You can also
elect to sanitize your reports and have all IP addresses obfuscated. Keep
in mind that IP addresses encoded into payloads (ie. ICMP Dest Unreachable events)
will still exist in the output.

Query output can also be saved to a text file (human-readable, or delimited (CSV, <TAB>, |, etc)
by clicking the "Export" button in a query pane. This will export only the infomation
that is contained in the query pane (ie. no header details, no payloads, etc).

Sguil users who are interested in more comprehensive reports should visit the Sguil Reports with BIRT HOWTO page authored by Hanashi. BIRT is a very flexible package for creating reports consisting of both table and chart elements, which is ideal for presenting Network Security Monitoring (NSM) data to both analysts and managers. When it is used to run reports (as opposed to creating or editing new report designs), BIRT runs as a Java applet under control of an application server such as Tomcat or JBoss. The report designs are simply XML files, which means that they are easy to distributed and modify.

Auto-Categorization

You can have sguild automatically categorize events by editing the autocat.conf
file on the sguild server. These event will have a status automatically assigned
to them and will not appear in any analyst's console. Analysts can query
for "auto-catted" events by selecting the "Auto Cats" global standard query.
In order to have sguild reload the autocat.conf file,
send a -HUP signal to the sguild process. A HUP will only effect future events,
if you want to auto-cat previously received events, sguild must be restarted.

Other

The up/down arrows can be used to select previous/next event in the
pane. <Esc> will unselect all options (dns, whois, packet date, etc)
at once.

For a clearer understanding of the Sguil architecture check the Sguil
page, which contains a diagram of the Sguil 0.7.0 Data Flow written by nr.